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1 1 . .A method for assigning a partially ordered set of classification levels to a set of 

2 data attributes, comprising: 

3 (a) providing at least one simple constraint imposing a classification level boundary 

4 for an associated attribute; 

5 (b) providing at least one complex constraint imposing another classification level 

6 boundary relating collectively to an associated collection of attributes; and 

^ 7 (c) assigning the classification levels to the attributes in a manner that satisfies the 

y 8 simple constraints and the complex constraints and avoids overclassifying the attributes, and 

l n' 

s 9 wherein the assigning is done according to an automatic algorithm having a 

H ! 10 complexity no greater than polynomial with respect to a size of the constraints and of the 

~j' 11 partially ordered set. 

1 2. The method of claim 1, wherein at least one of the classification level boundary 

2 and the another classification level boundary represents an upper bound. 

1 3. The method of claim 1 , wherein at least one of the classification level boundary 

2 and the another classification level boundary represents a lower bound. 
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1 4. The method of claim 1 , wherein at least one of the classification level boundary 

2 and the another classification level boundary specifies a particular classification level as a 

3 boundary. 

1 . 5 . The method of claim 1 , wherein at least one of the classification level boundary 

2 and the another classification level boundary is specified in terms of a classification level to 

3 be assigned to one of the attributes. 

1 6. The method of claim 1, wherein the at least one complex constraint imposes a 

2 lower bound on the least upper bound of the levels assigned to the associated collection of 

3 attributes. 

1 7. The method of claim 1, wherein the at least one complex constraint requires that 

2 at least one of the classification levels assigned to the associated collection of attributes is 

3 greater than a lower bound. 

1 8. The method of claim 1, wherein the at least one complex constraint comprises a 

2 constraint selected from the group of {inference constraints, association constraints, and 

3 integrity constraints} . 

1 9. The method of claim 1, wherein the partially ordered set is a fully ordered set. 

1 10. The method of claim 1, wherein the method is used to implement an information 

2 security policy. 
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11. The method of claim 1, wherein the method is used to implement a database 
confidentiality policy. 

12. The method of claim 1 , further including providing one or more soft constraints 
whose satisfaction is not mandatory, and wherein assigning the classification levels to the 
attributes includes selecting among a plurality of possible assignments based at least partly 
upon satisfaction of the soft constraints. 

13. The method of claim 1, further including checking the simple constraints and the 
complex constraints for consistency. 

14. The method of claim 1, wherein assigning the classification levels to the attributes 
is done in a manner that does not overclassify any of the attributes. 

15. The method of claim 1, wherein assigning the classification levels to the attributes 
is done in a manner that avoids overclassifying the attributes to a desired extent. 

16. The method of claim 1, wherein the complexity of the automatic algorithm is no 
greater than quadratic with respect to a size of the constraints and of the partially ordered set 
of levels. 

17. The method of claim 1, wherein the simple constraints and the complex 
constraints include one or more acyclic constraints, and the method further includes directly 
assigning to the attribute associated with each of the acyclic constraints the lowest 
classification level that satisfies the acyclic constraint. 
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18. The method of claim 1, wherein the simple constraints and the complex 
constraints are acyclic, and the complexity of the automatic algorithm is no greater than 
linear with respect to a size of the acyclic constraints and of the partially ordered set of levels. 

19. A method for assigning a partially ordered set of levels to a set of objects, 
comprising: 

(a) providing at least one simple constraint imposing a level boundary for an 
associated object; 

(b) providing at least one complex constraint imposing another level boundary 
relating collectively to an associated collection of objects; and 

(c) assigning the levels to the objects in a manner that satisfies the simple 
constraints and the complex constraints and avoids overclassifying the objects, and 

wherein the assigning is done according to an automatic algorithm having a 
complexity no greater than polynomial with respect to a size of the constraints and of the 
partially ordered set. 

20. An apparatus for assigning a partially ordered set of levels to a set of objects, 
comprising: 

(a) means for representing at least one simple constraint imposing a level boundary 
for an associated object; 
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(b) means for representing at least one complex constraint imposing another level 
boundary relating collectively to an associated collection of objects; and 

(c) means for assigning the levels to the objects in a manner that satisfies the simple 
constraints and the complex constraints and avoids overclassifying the objects, and further 
being operable to perform the assigning according to an automatic algorithm having a 
complexity no greater than polynomial with respect to a size of the constraints and of the 
partially ordered set. 

21 . A method for assigning access classification levels from a partially ordered set to 
a plurality of data attributes, comprising 

(a) providing one or more upper bound constraints each imposing an upper bound on 
the classification level to be assigned to an associated data attribute; 

(b) providing one or more lower bound constraints each imposing a lower bound 
relating collectively to the classification levels to be assigned to an associated collection of 
the data attributes; 

(c) determining an initial assignment of classification levels that satisfies the upper 
bound and lower bound constraints; and 

iteratively decrementing the levels assigned to each attribute while continuing to 
satisfy all of the provided constraints, thereby tending to decrease the overclassification of 
attributes and to increase data availability. 
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22. The method of claim 20, wherein the initial classification is found by assigning 
the highest classification level from the partially ordered set to each attribute and iteratively 
lowering the levels as required to satisfy all upper bound constraints. 

23. The method of claim 22, wherein the initial classification is found by assigning 
the lowest classification level from the partially ordered set to each attribute and increasing 
their levels until a classification that satisfies all constraints is found. 

24. A method for determining a minimal security classification for one or more 
attributes in a data set, comprising: 

generating a constraint graph, the constraint graph having nodes with different security 
levels and nodes with different attributes, the security level nodes and the attribute nodes being 
connected together to form a lattice; 

enforcing one or more upper bound security constraints wherein the upper bound 
constraint corresponds to the maximum security classification for the attribute to permit access to 
the attribute by as many people as possible; 

providing one or more lower bound constraints that protect the attribute from association 
and inference attacks; and 

determining a minimal security classification for the attribute based on the upper 
bound constraint and the one or more lower bound constraints so that the attribute is resistant 
to association and inference attacks yet accessible to many people as possible. 
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1 25. The method of Claim 24, wherein enforcing the upper bound security constraint 

2 further comprises propagating the upper bound constraint from the security node 

3 corresponding to the upper bound constraint through each attribute node of the constraint 

4 graph, determining, at each attribute node, if the security level of the attribute node 

5 dominates that propagated security level and lowering the security level of the attribute node 

6 to below the propagated security level if the propagated security level does not dominate the 

7 security level of the attribute node and the other constraints on the attribute node are not 

8 violated. 

1 26. The method of Claim 24, wherein determining the minimal security classification 

2 further comprises determining if the lower bound constraint is a cyclic constraint or an 

3 acyclic constraint, the cyclic constraints being resolved using a cyclic solving process and the 

4 acyclic constraints being resolves using an acyclic solving process wherein the cyclic 

5 constraint has a loop in the constraint graph. 

1 27. The method of Claim 26, wherein the acyclic solving process further comprises 

2 determining if the acyclic constraint is simple or complex, the simple acyclic constraint 

3 having no hypernodes in the constraint graph and the complex acyclic constraint having one 

4 or more hypernodes containing two or more attributes. 

1 28. The method of Claim 27, wherein solving for the simple acyclic constraint further 

2 comprises propagating the security levels in the constraint graph associated with the lower 



Gray Cary\HW7054 179.2 
1190526-991200 



^6-991200 -72- ^ 



Attorney Docket No. 1190526-991200 

3 bound constraints to the attributes nodes to determine the minimal security classification for 

4 each attribute node. 

1 29. The method of Claim 28, wherein solving the complex acyclic constraint further 

2 comprises upgrading the security level associated with the attributes in the hypernode of the 

3 constraint graph. 

1 30. The method of Claim 26, wherein the cyclic solving process further comprises 

2 determining if the cyclic constraint is simple or complex, the simple cyclic constraint having 

3 no hypernode in the constraint graph and the complex cyclic constraint having one or more 

4 hypernodes containing two or more attributes. 

1 31. The method of Claim 30, wherein solving the simple cyclic constraint further 

2 comprises assigning the same security level to the attribute nodes contained in the simple 

3 cycle. 

1 32. The method of Claim 30, wherein solving the complex cyclic constraint further 

2 comprises assigning the highest security level to each attribute in the complex cyclic 

3 constraint, lowering the security level of a selected attribute in the complex cyclic constraint 

4 and lowering the security level of another attribute if the lowering of the selected attribute did 

5 not violate any constraints. 

1 33. The method of Claim 32, wherein solving the complex cyclic constraint further 

2 comprises propagating the security levels in the constraint graph associated with the lower 
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bound constraints to the attributes nodes to determine the minimal security classification for 
each attribute node. 

34. A system for determining a minimal security classification for one or more 
attributes in a data set, comprising: 

means for generating a constraint graph, the constraint graph having nodes with different 
security levels and nodes with different attributes, the security level nodes and the attribute nodes 
being connected together to form a lattice; 

means for enforcing one or more upper bound security constraints' wherein the upper 
bound constraint corresponds to the maximum security classification for the attribute to permit 
access to the attribute by as many people as possible; 

means for providing one or more lower bound constraints that protect the attribute from 
association and inference attacks; and 

means for determining a minimal security classification for the attribute based on the 
upper bound constraint and the one or more lower bound constraints so that the attribute is 
resistant to association and inference attacks yet accessible to many people as possible. 

35. The system of Claim 34, wherein the enforcing means further comprises means 
for propagating the upper bound constraint from the security node corresponding to the upper 
bound constraint through each attribute node of the constraint graph, means for determining, 
at each attribute node, if the security level of the attribute node dominates that propagated 




Gray Cary\HV\7054 179.2 
1190526-991200 



Attorney Docket No. 1 190556-991200 -74- 

5 security level and means for lowering the security level of the attribute node to below the 

6 propagated security level if the propagated security level does not dominate the security level 

7 of the attribute node and the other constraints on the attribute node are not violated. 

1 36. The system of Claim 34, wherein the means for determining the minimal security 

2 classification further comprises means for determining if the lower bound constraint is a 

3 cyclic constraint or an acyclic constraint, the cyclic constraints being resolved using a cyclic 

4 solving means and the acyclic constraints being resolves using an acyclic solving means 

5 wherein the cyclic constraint has a loop in the constraint graph. 

1 37. The system of Claim 36, wherein the acyclic solving means further comprises 

2 means for determining if the acyclic constraint is simple or complex, the simple acyclic 

3 constraint having no hypernodes in the constraint graph and the complex acyclic constraint 

4 having one or more hypernodes containing two or more attributes. 

1 38. The system of Claim 37, wherein means for solving for the simple acyclic 

2 constraint further comprises means for propagating the security levels in the constraint graph 

3 associated with the lower bound constraints to the attributes nodes to determine the minimal 

4 security classification for each attribute node. 

1 . 39. The system of Claim 38, wherein means for solving the complex acyclic 

2 constraint further comprises means for upgrading the security level associated with the 

3 attributes in the hypemode of the constraint graph. 
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1 40. The system of Claim 36, wherein the cyclic solving means further comprises 

2 means for determining if the cyclic constraint is simple or complex, the simple cyclic 

3 constraint having no hypernode in the constraint graph and the complex cyclic constraint 

4 having one or more hypernodes containing two or more attributes. 

1 41. The system of Claim 40, wherein means for solving the simple cyclic constraint 

2 further comprises means for assigning the same security level to the attribute nodes contained 

3 in the simple cycle. 

1 42. The system of Claim 40, wherein means for solving the complex cyclic constraint 
iL 2 further comprises means for assigning the highest security level to each attribute in the 

U1 3 complex cyclic constraint, means for lowering the security level of a selected attribute in the 

m 

: 4 complex cyclic constraint and means for lowering the security level of another attribute if the 
~ 5 lowering of the selected attribute did not violate any constraints. 

0 

q 1 43. The system of Claim 42, wherein means for solving the complex cyclic constraint 

2 further comprises means for propagating the security levels in the constraint graph associated 

3 with the lower bound constraints to the attributes nodes to determine the minimal security 

4 classification for each attribute node. 
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